It's my first time to use certbot in docker with nginx
- nginx version: 1.23.1
- nginx build : docker (macbre/nginx-http3)
- OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
nginx throw this error when tring to use ocsp stabling
nginx: [warn] "ssl_stapling" ignored, not supported
cert seems to support ocsp
openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.org
nginx ssl conf
# =============================================================================
# default Certificates
ssl_certificate /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam /certs/dir/dhparam.pem;
# =============================================================================
# # OCSP staplingenter code here
ssl_stapling on;
ssl_stapling_verify on;
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;
# # replace with the IP address of your resolver
resolver 1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout 3s;
# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data on;
# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;
# Enable session tickets
ssl_session_tickets off;
Those didn't help:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
- Nginx "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
- https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
- https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions and more like it
- nginx proxy doesn't cache OCSP responses
- Nginx OCSP_basic_verify:signer certificate not found
and many of this list: https://stackoverflow.com/search?q=nginx ocsp
any body has encountered this issue before ?
or could any one tell me how to overcome this ?
I want to setup ocsp with nginx
CodePudding user response:
OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
Based on this discussion it looks like OCSP stapling when using BoringSSL is not fully supported. While there is a patch to add support for OCSP stapling to nginx it needs to have the OCSP response provided as a file it cannot retrieve it automatically from within nginx from the OCSP responder. To cite:
Due to usage of BoringSSL instead of OpenSSL, some directives may not work, e.g. ssl_conf_command. Besides, direct OCSP stapling via ssl_stapling on; ssl_stapling_verify on; does not work too. You should use ssl_stapling on; ssl_stapling_file /path/to/ocsp;. The OCSP file can be generated via ...